This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Destination NAT translation is not working os .5.0.10

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Destination NAT translation is not working os .5.0.10

Satish
L4 Transporter

‎01-09-2015 03:15 AM

Hi Friends,

PAN OS 5.0.10 is running. i have create a destination NAT translation but is not working and also i am not getting any logs. please suggest.

gts.PNG

NAT.png

Regards

Satish

0 Likes Likes
8 REPLIES 8

Wenar
L3 Networker

‎01-09-2015 03:34 AM

Do you have a security policy for this traffic with activated logging?

0 Likes Likes

Satish
L4 Transporter
In response to Wenar

‎01-09-2015 03:38 AM

Hi Wenar,

Yes, I have already a security policy for that.

Regards

Satish

0 Likes Likes

Wenar
L3 Networker
In response to Satish

‎01-09-2015 05:24 AM

Can you post a screenshot of the security policy? Keep in mind that your security policy has to look like this:

Source:Any

Source Zone: Any (or Untrust)

Destination: Public IP

Destination Zone: Zone for Private IP

You should see the traffic in the traffic log.

rborda
L3 Networker

‎01-09-2015 08:40 AM

Hi Satish,

Verify your Security Policy and NAT policy look like what you see below. Make sure that Destination address for your NAT and Security Policy is your Public IP.

Also, for your NAT policy use Source Zone: Untrust, Destination Zone: Untrust. Use only Private IP in your Translated Destination Address.

Security Policy

SecurityPolicy.JPG

Nat policy

NATPolicy.JPG

Regards

bat
L5 Sessionator

‎01-09-2015 12:55 PM

Satish

Could you confirm if the traffic for that IP address is even reaching the firewall ? Try configuring packet capture and see if the packet is reaching the firewall, if it's not then it should be a simple ARP or routing issue.

Hope it helps !

oklier
L3 Networker
In response to bat

‎01-09-2015 02:13 PM

Hurricane electric has a helpful public looking glass utility: Looking Glass - Hurricane Electric (AS6939). They even have an app for the Android Smiley Happy.

0 Likes Likes

pulukas
L7 Applicator

‎01-10-2015 05:38 AM

I would start by filtering your policy logs by the source address of the attempt.  Then you can see what policy the traffic is hitting in your firewall.  Make sure you do have a logging final deny all policy so it is not silently dropped and that logging is enabled for all policies.

Nat columns can be added to the monitor policy logs so you will also see from here if the traffic is being recognized by any of the nat rules.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

parmas
L2 Linker

‎01-10-2015 06:13 AM

Just to add something that has not been mentioned... It could be possible that the traffic is indeed reaching the firewall and the NAT itself working properly, but you need to make sure you have a route not only on the firewall to reach the private IP, but also a route configured on the server itself to get back to the outside world through the same firewall interface that was used to forward the incoming packets.

Hope this helps.

0 Likes Likes
  • 4374 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks